Android hit by rogue app malware
- 3 March 2011
- From the section Technology
More than 50 applications available via the official Android Marketplace have been found to contain malware.
Analysis suggests that the booby-trapped apps may have been downloaded up to 200,000 times.
The malicious apps were copies of existing software, such as games, that had been repackaged to include hidden code.
All the bogus applications have now been removed from the Android Marketplace.
Remove and recall
The rogue apps were discovered by a Reddit user called Lompolo who realised that one program was listed under the name of a publisher he knew had not written it.
He found that the app, which let people play guitar on their handset, was the same as the original but for a name change and some new code buried within it.
Lompolo said the rogue apps had been downloaded between 50,000 and 200,000 times since they were placed on the Marketplace.
Lompolo initially found 21 apps bearing malware but, according to an investigation by mobile security site Android Police, the final tally is believed to involve more than 50. The apps are also known to be available on unofficial Android stores too.
Once a booby-trapped application is installed and run, the virus lurking within, known as DroidDream, sends sensitive data, such as a phone's unique ID number, to a remote server.
It also checks to see if a phone has already been infected and, if not, uses known exploits to bypass security controls and give its creator access to the handset. This bestows the ability to install any code on a phone or steal any information from it.
The latest version of the Android operating system, known as Gingerbread, is not vulnerable to the exploits DroidDream uses.
As well as removing the applications from the Android Marketplace, Google has also suspended the three accounts being used by the developer behind the apps.
It also has the option to use a security tool that can recall and uninstall rogue applications from phones. It is not thought to have yet done this as its investigation continues. Google has yet to issue a formal statement about the rogue applications while it completes the investigation.
Writing on the Trend Micro security blog, Rik Ferguson, pointed out that remote removal of the booby-trapped apps may not solve all the security problems they pose.
"This remote kill switch will not remove any other code that may have been dropped onto the device as a result of the initial infection," he wrote.
He advised anyone who believed they had installed one of the malicious apps to find out whether they need to get a new handset or re-install the operating system on the one they have.
The open nature of the Android platform was a boon and a danger, he warned.
"This greater openness of the developer environment has been argued to foster an atmosphere of creativity," he wrote, "but as Facebook have already discovered it is also a very attractive criminal playground."